OpenSSL Vulnerability Could be Exploited for Man-in-the-Middle Attacks

June 6, 2014 | By Kevin Judge
1 Star2 Stars3 Stars4 Stars5 Stars

There is more bad news this week for the popular OpenSSL implementation of the SSL and TLS protocols, which was made vulnerable in April by the Heartbleed bug. This week we learned that OpenSSL has vulnerabilities that can be exploited by hackers for “Man-in-the-Middle” attacks.

According to an OpenSSL advisory:
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server”

The result is that a remote attacker can insert a process between browser and the server, a so called Man-in-the-Middle, and may be able to decrypt or modify traffic between a client and server.

This problem can be resolved with the application of the following updates:

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
Be Sociable, Share!

    Add new comment

    Your name

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


    What Hidden Threats LurkOn Your Endpoints?

    Get complete security from known and unknown threats from Comodo Endpoint Protection

    free threat scan